APD/GBA (Belgium) - 107/2024
From GDPRhub
| APD/GBA - 107/2024 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 12(3) GDPR Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | |
| Decided: | 23.08.2024 |
| Published: | |
| Fine: | 100,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 107/2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | APD/GBA (in FR) |
| Initial Contributor: | wp |
The DPA fined a controller €100,000 for failing to answer a data subject’s access request in a timely manner. However, the DPA rejected the data subjects request to receive information on the specific employees who accessed their data.
English Summary
Facts
The data subject was a customer of a telecommunication company (the controller). The controller unilaterally modified the subscriptions and billings of the data subject. The data subject opposed these changes and initiated a mediation proceedings before the Telecommunications Mediation Service (Service de médiation pour les télécommunications). During the proceedings, the controller explained it was a human error that caused the modification.
The data subject filed access request under Article 15 GDPR with the controller, indicating they were interested in data from the exact period and the information about which employees and for what reason accessed their data. The data subject explicitly wished for a response in a table format.
The data subject received partially anonymised data relating to their contract with the controller. The controller neither disclose the identity of their employees who accessed the data subject’s data nor the purpose of that access.
Due to the lack of satisfying response of the controller, the data subject lodged a complaint with the Belgian DPA (ADP/GBA).
In a response to the complaint, the controller clarified that the access request referred to data regarding an employees of the controller. Because of that, the request was not answered as expected by the data subject.
Holding
The DPA upheld the complaint partially.
Although, prior to the access request, the data subject already had some data, it didn’t influence their right to access. Article 12(3) GDPR sets out prerequisites to dismiss, inter alia, the data subject’s access request. None of the reasons stipulated in that provision was applicable in the case at hand. The DPA emphasised the controller was not relieved from their duty to fully answer an access request only because the data subject already possessed the data.
However, the DPA found that the data subject's request to receive information on the specific employees who accessed their data was unfounded. Data of that kind could be disclosed if there was prevailing interest of the data subject. Yet, the data subject didn’t demonstrate any interest to access information regarding the controller's employees. Hence, the controller was not obliged to include employees’ data in their response to the access request.
Nevertheless, the controller failed to handle the access request in accordance with Article 12(2) GDPR. The electronic communication channel used by the controller didn’t contain the functionality of responding to the data subject’s messages. Moreover, the controller’s employees didn’t properly manage the access request. For this reason, the access request was answered exceeding the time limit of Article 12(3) GDPR. The DPA noted the full answer to the access request eventually took place during the proceedings before the DPA. According to the DPA, such a conduct amounted to a gross negligence of controller’s duties. As a result, the controller violated Article 15 GDPR. The DPA imposed a fine of €100,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/21
Litigation Chamber
Decision on the merits 107/2024 of 23 August 2024
File number: DOS-2022-02420
Subject: Complaint regarding a response granted with a delay of more than 14 months
from the exercise of the complainant's right of access
The Litigation Chamber of the Data Protection Authority, consisting of Mr.
Hielke H IJMANS, President, and Messrs. Dirk Van Der Kelen and Christophe Boeraeve, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation), hereinafter "GDPR";
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter "LCA");
Having regard to the internal rules as approved by the Chamber of Representatives on 1
20 December 2018 and published in the Belgian Official Journal on 15 January 2019;
Having regard to the documents in the file;
Has taken the following decision concerning:
The complainant: X, hereinafter "the complainant";
The defendant: Y, hereinafter “the defendant”
1The new internal regulations of the APD, following the amendments made by the Law of 25 December 2023
amending the law of 3 December 2017 establishing the data protection authority (LCA) came into force on
01/06/2024.
In accordance with Article 56 of the law of 25 December 2023, it only applies to complaints, mediation files,
requests, inspections and procedures before the Litigation Chamber initiated from this date:
https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des-
donnees.pdf.
Cases initiated before 01/06/2024, as in this case, are subject to the provisions of the LCA as not amended by the Law of 25 December 2023 and the internal regulations as they existed before that date. Decision on the merits 107/2024 — 2/21
I. Facts and procedure
1. On 7 June 2022, the complainant filed a complaint with the Data Protection Authority
against the defendant.
2. The complaint concerns the follow-up given to the complainant's exercise of his right of access.
3. The complainant was a customer of the defendant - the latter being a
telecommunications company. Between 27 January 2021 and 26 February 2021, the defendant modified
several of the complainant's subscriptions and billings, even though the latter had not
made any such request.
4. On 27 August 2021, at the end of a mediation procedure initiated by the complainant on 26 June
2021 with the Telecommunications Mediation Service, the Ombudsman closed the
procedure, considering that all the useful information requested by the complainant had
been communicated to him. As part of this procedure, the defendant informed the
complainant that the inconveniences suffered in connection with his various
subscriptions and billings with it were caused by human error. Following this
response, the complainant stated that he was still waiting for an exact clarification of the
situation.
5. On 25 January 2022, the complainant contacted the defendant via his
Messenger chat, asking for the contact details of its Data Protection Officer (DPO
hereinafter). This
responds that she does not have a DPO email address but still processes her request
in the chat.
6. On the same day, the complainant indicates that she wants to exercise her right of access on the basis of Article 15
of the GDPR, and specifies that she wants to be informed for a period from January 1, 2021 to December 31, 2021. He also specifies that he wants a response in a table format that he
indicates in the chat, including for each access to his personal data the
following elements: date, employee or "employee number", and reason(s) for access.
7. Still on the same day, the defendant asks the complainant to clarify his request.
The complainant responds the next day that his request is simple and clear.
8. On 13 March 2022, the complainant reminded the defendant of his request for access, and informed that
if he did not respond before the end of March 2022, a complaint would be filed with the DPO.
On the same day, the defendant, still via chat, asked the complainant for further explanations in order to be able to carry out the necessary checks. The complainant responded by
explaining that he wanted to know which of the defendant’s employees had accessed his
personal data. The defendant replied that it was not possible to know, and that
the request was “beyond [its] scope of intervention”. The complainant indicated
again that his request was addressed to the DPO, and that if he did not respond before the end of
March, he would file a complaint with the DPO. The employee (in charge of the chat) of the Decision on the merits 107/2024 — 3/21
defendant responds by inviting the complainant to contact her again for any other
request.
9. On June 9, 2022, the complaint is declared admissible by the Front Line Service on the basis
of Articles 58 and 60 of the LCA and the complaint is forwarded to the Litigation Chamber under
Article 62, § 1 of the LCA.
10. On February 27, 2023, the Litigation Chamber decides, under Article 95, § 1, 1° and
Article 98 of the LCA, that the case can be dealt with on the merits.
On the same date, the parties concerned are informed by registered mail of the
provisions as set out in Article 95, § 2 and Article 98 of the LCA. They are
also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their
submissions. The deadline for receipt of the respondent's submissions in response
has been set at 10 April 2023, that for the complainant's submissions in reply at 1 May
2023 and that for the respondent's submissions in reply at 22 May 2023.
11. On 2 March 2023, the respondent agrees to receive all communications relating
to the case by electronic means and expresses its intention to use the possibility of being
heard, in accordance with Article 98 of the LCA. She requested by the same email a
copy of the file (art. 98, §2, 3° LCA), which was sent to her on March 14, 2023.
12. On March 22, 2023, the complainant agreed to receive all communications relating
to the case electronically.
13. On March 28, 2023, the defendant responded to the complainant's request for access by
providing the activity logs relating to the complainant's contract covering the entire year 2021.
For security and confidentiality reasons, the defendant anonymized all
"logins".
14. On April 7, 2023, the Litigation Chamber received the submissions in response from the
defendant. The latter having filed summary submissions, its argument
is summarized in point 16 below.
15. On 30 April 2023, the Litigation Chamber received the submissions in reply from the
complainant. In summary, here is what the complainant defends:
- He requests that his complaint be declared well-founded;
- The rights he derives from Articles 12 and 15 of the GDPR have not been respected by the
defendant, it being understood that it did not allow him to contact its DPO, that it
responded to his request for access with a year and a half delay, and that it has never
responded concerning the purposes for which its employees accessed the complainant's account and
personal data; Decision on the merits 107/2024 — 4/21
- To impose a more severe sanction than a warning, taking into account the number of
requests and reminders that he made;
- To anonymize all personal data relating to it;
- Not to anonymize the defendant.
16. On May 22, 2023, the Litigation Chamber receives the summary conclusions from
the defendant. In summary, the latter defends the following:
- It was not its responsibility to provide access to the information requested by the complainant
it being understood: (i) that the personal data of the employees of the
defendant do not constitute personal data of the complainant himself and that the same employees cannot be considered as
2
recipients of the data within the meaning of Art. 15.1.c) of the GDPR, (ii) that the complainant had all the information at the time of filing this complaint, it being understood that
the contact address of the defendant's DPO could be found on the
latter's website and that the responses to the other requests he made were brought to his
attention on 30 July 2021, and (iii) that the right conferred by Article 15 of the
GDPR does not constitute an absolute right, and that he may therefore encounter certain limits when it is
balanced against the rights and freedoms of third parties (Article 15.4 GDPR), as in this case
where the rights and freedoms of the defendant’s employees prevail over the complainant’s right of access
;
- Failure to meet the response deadline provided for in Article 12.3 GDPR cannot in itself
result in a sanction;
- The Litigation Chamber cannot take a decision on the breaches
alleged by the complainant in his email of 23 March but which did not appear in the
invitation to conclude letter that it sent to the parties on 27 February 2023,
it being understood that the defendant cannot be expected to defend itself
against them adequately;
- To declare the breaches alleged by the complainant unfounded if the
Litigation Chamber were to examine them.
17. On 29 April 2024, the parties were informed that the hearing would take place on 31 May 2024.
18. On 31 May 2024, the parties were heard by the Litigation Chamber.
19. On 10 June 2024, the minutes of the hearing were submitted to the parties.
2It is clear from the defendant’s submissions that it was Article 15.1.b) of the GDPR that was cited. However, it appears from reading
these submissions that the defendant was referring to Article 15.1.c) of the same Regulation. Decision on the merits 107/2024 — 5/21
20. On 12 June 2024, the Litigation Chamber received from the defendant some
formal remarks relating to the minutes, which were annexed to the latter in
accordance with Article 54, paragraph 2 of the Rules of Procedure.
21. On 17 June 2024, the Litigation Chamber received from the complainant some
remarks relating to the minutes. These called for substantial changes to the
minutes, which could not be made since the discussions had been closed at the end
of the hearing.
22. On 3 July 2024, the Litigation Chamber informed the defendant of its intention to
impose an administrative fine and the amount of the fine, in order to
give the defendant the opportunity to defend itself before the penalty is
actually imposed.
23. On 22 July 2024, the Litigation Chamber received the defendant's
reaction regarding the intention to impose an administrative fine and the amount of the
fine. The content of the defendant's reaction is summarised in points 85 et seq.
II. Grounds
II.1. As to the alleged violation of the right of access (Article 15 of the GDPR)
II.1.1. As for the content of the follow-up granted to the right of access by the defendant
24. The Litigation Chamber recalls that Article 4,1) of the GDPR defines personal data as "any information relating to an identified or
identifiable natural person (hereinafter referred to as "data subject"); an "identifiable natural person" is deemed to be a natural person who can be identified, directly or
indirectly, in particular by reference to an identifier, such as a name, an identification
number, location data, an online identifier, or to one or more specific
elements specific to his physical, physiological, genetic, mental,
economic, cultural or social identity; […]".
25. Processing of personal data means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
3GDPR, Art. 4.2. Decision on the merits 107/2024 — 6/21
26. Under Article 15.1 of the GDPR, the data subject has the right to obtain from the
controller confirmation as to whether or not personal data concerning him or her are being
processed. Where this is the case, the data subject has the
right to obtain access to said personal data as well as to a series of
information listed in Article 15.1 a) to h) such as the purpose of the processing of
his/her data, the possible recipients of his/her data as well as information relating to the
existence of his/her rights, including the right to request the rectification or erasure of his/her
data or the right to file a complaint with the DPA.
27. The third paragraph of Article 15 specifies that “the data controller shall provide a
copy of the personal data being processed. […]”. This paragraph
enshrines one and the same right with the first paragraph of the same article. Furthermore, it
is clear from the case law of the CJEU that this right implies the possibility for the person
concerned to obtain "the reproduction of extracts from documents or even entire
documents or extracts from databases […]" if this proves essential. However, the
reading of this right cannot be dissociated from that of Article 15.4 which provides that a balance must be
made with the rights and freedoms of others, where appropriate.
28. The Litigation Chamber recalls that the right of access constitutes an essential requirement
of the right to data protection, since it constitutes the “gateway” that allows
the exercise of the other rights conferred by the GDPR on the data subject.6
29. In the present case, it appears that the complainant exercised his right of access on 25 January
2022, a request to which the defendant responded on 28 March 2023 by providing the
complainant with a partially anonymised version of the activity logs relating to his contract
spanning the whole of 2021. The defendant adds in its submissions that the
complainant had already asked questions similar to those in his request
for access in the context of the mediation procedure (see point 4), which ended on 27
August 2021, it being understood that the Ombudsman considered that all the information useful
had been communicated to the complainant.
30. In this regard, it must be clarified that in no way could a data controller be
discharged from its obligation to follow up on the exercise of the right of access on the sole ground
that the complainant already had the requested information prior to the exercise
of said right. Article 12.5 does provide that it may in particular be refused to comply with
the exercise of one of the rights referred to in Articles 15 to 22 of the GDPR where the request of the
data subject is manifestly unfounded or excessive, however none of these
4CJEU, judgment of 4 May 2023, Österreichische Datenschutzbehörde, C-487/11, paragraph 32.
5
CJEU, judgment of 12 January 2023, Österreichische Post AG, C-154/12, paragraph 41.
6CJEU, judgment of 12 January 2023, Österreichische PostAG, C-154/12, paragraphs 37 and 38; CJEU, judgment of 20 December 2017, Nowak,
C-434/16, paragraph 57 ;CJEU,judgmentof17July2014,YSetal.,C-141/12andC-372/12,paragraph44;CJEU,judgmentof7May2009,Rijkeboer,
paragraph52.Decisiononthesubstance107/2024 — 7/21
twoexceptionswerenotinvokedbythedefendant.Inanycase,theuseofoneoftheseexceptionsmust,underArticle12.4oftheGDPR,benotifiedtothedata subjectas soonaspossible,andatthelatest“withinonemonthofreceiptoftherequest […]”–this being absent from the exchanges between the
complainantandthedefendant.
31. Concerning the content of the follow-up given to the request for access, the complainant stated in
his submissions that he remained dissatisfied (a) in that he had not obtained
additional explanations as to the purposes of the processing carried out by the employees of the
defendant, and (b) in that he had not obtained the identity of the employees of the
defendant who had carried out the said processing. However, the complainant explicitly stated
during the hearing held on 31 May 2024 (see point 18) that he was satisfied with the
response that the defendant sent him following his request for access made on 25 January 2022 – but not with the
manner in which the response was delivered to him.
The Litigation Chamber nevertheless considers it important to carry out the examination below,
since it is in no way relieved of the examination of compliance with the GDPR by the fact that part
of the complaint has become moot.
a) Access to the purposes of the processing
32. On the one hand, it is clear from the documents in the case that the defendant communicated a
partially anonymized version of the activity logs covering the whole of 2021 relating to the
complainant's contract dated 28 March 2023. In addition, the complainant stated that he was satisfied
with the data he received following the email of 28 March 2023.
33. It therefore appears to the Litigation Chamber that the complainant's request relating to the
purposes of the processing has been exhausted.
b) Access to the identity of employees who carried out the processing
34. On the other hand, the Litigation Chamber notes that the defendant refused to grant
access to the personal data relating to its employees (see points 7 and 16) –
request made on 25 January 2022 by the complainant.
35. The Litigation Chamber recalls in this regard that the personal data of
employees do not constitute personal data of the data subject,
8
which therefore places them outside the scope of Article 15 of the GDPR. However,
recital 63 of the GDPR specifies that this cannot lead a data controller to “refuse
any communication of information to the data subject.”.
7Decision of the Contentious Chamber 63/2020 of 22 September 2020, paragraph 16.
8CJEU, judgment of 22 June 2023, Pankki S., C-579/21, paragraph 83. Decision on the merits 107/2024 — 8/21
36. Furthermore, it is also clear from the case-law of the CJEU that, given the essential role that the right of access plays for data subjects, the latter may
access the personal data of employees of a controller who has processed their personal data if this proves necessary for the exercise of the
9
other rights guaranteed to them by the GDPR. Furthermore, a balance must be struck between the right of access of the data subject in question and – as set out in Article 15.4 of the GDPR – the rights and freedoms of others (corresponding, in this case, to the employees of the defendant).
37. The Litigation Chamber further specifies that the CJEU makes a distinction between an employee
who acts according to the instructions and under the authority of his employer, and an employee who
acts outside the instructions and authority of his employer – the former benefiting
from greater protection of his identity than the latter. However, this
distinction has no impact in the present case.
38. Indeed, the Litigation Chamber notes that the complainant does not demonstrate, in his
submissions, any interest in obtaining the identity of the employees who have
mistakenly processed his personal data. Furthermore, the complainant indicates in his submissions
that he has an interest in knowing the purposes of the processing of his personal
data, but not necessarily the identity of the employees who carried out this
processing. During the hearing held on 31 May 2024, the complainant stated that he had no interest
in accessing the purposes of the processing of his data, nor in the
identity of the employees who carried out the processing.
39. Consequently, the Litigation Chamber considers that the rights and freedoms of
the defendant's employees prevail over the complainant's right to access their identity.
40. In any event, the Litigation Chamber recalls, emphasizing the reasoning
given by the defendant, that the defendant's employees cannot be considered
as recipients within the meaning of Article 15.1.c) of the GDPR.
41. Consequently, the complainant's initial request –
relating to the identity of the defendant's employees – cannot be granted on the basis of this provision.
II.1.2. As for the modalities relating to the exercise of the right of access (Articles 12.2, 12.3 and
15 of the GDPR)
42. Under Article 12.1 of the GDPR, it is up to the data controller to take "
appropriate measures to provide any information referred to in Articles 13 and 14 as well as
9CJEU, judgment of 22 June 2023, Pankki S., C-579/21, paragraph 83.
10
Ibid., paragraph 73; See also Decision of the Contentious Chamber 89/2023 of 28 June 2023, paragraph 22.
1CJEU, judgment of 22 June 2023, Pankki S., C-579/21, paragraph 73. Decision on the merits 107/2024 — 9/21
to make any communication under Articles 15 to 22 and Article 34 concerning the processing to the data subject in a concise, transparent,
intelligible and easily accessible manner, in clear and plain language [...]. ».
43. In addition, it is the responsibility of the data controller to facilitate the exercise of the rights of the
data subject (Article 12.2 of the GDPR) and to provide him/her with information on the measures
taken following a request made under Articles 15 to 22 of the GDPR,
as soon as possible and in any event within one month of receipt
of the request. Article 12.3 of the GDPR provides that this period may, if necessary, be extended by
two months, taking into account the complexity and number of requests. In such a case, the
data controller shall inform the data subject of this extension and the
reasons for the postponement within one month of receipt of the request.
44. In its recital 59, the GDPR specifies that in order to facilitate the exercise, by the data subject, of the rights he or she enjoys under the same Regulation, "The controller should also provide the means to submit requests by electronic means, in particular when personal data are processed electronically." In this regard, the Litigation Chamber has already had the opportunity to state that "[i]n any event, the data subject should not be penalized in any way for not having sent his or her request to the correct address."
45. Furthermore, in its Guidelines 01/2022 on the right of access, the European Data Protection Board ("EDPB") explains that this possibility of extending the response deadline constitutes a derogation from the general rule and that it can only occur in certain circumstances on an exceptional basis. Furthermore,
the EDPB notes that if a data controller is often forced to
extend this period, this could indicate a failure in its procedure for processing
access requests.
46. It follows from all this that the defendant has an obligation to follow up on the complainant’s
exercise of the right of access under Article 15 of the GDPR in accordance with the
terms of Article 12 of the GDPR, these two articles being intrinsically
linked.
47. Based on the documents in the case file, the Litigation Chamber notes two things. On the one hand,
it notes that in its response of 25 January 2022 to the complainant, the defendant stated
that it did not have a dedicated email address for its DPO. Furthermore, in a response of 13
1Decision of the Disputed Chamber 41/2020 of 29 July 2020, paragraph 83.
13EDPB, Guidelines 01/2022 on data subject rights - Right of access, of 28 March 2023, paragraph 162, available at:
https://edpb.europa.eu/system/files/2023-04/edpb guidelines 202201 data subject rights access v2 en.pdf Decision on the merits 107/2024 — 10/21
March 2022, the defendant informed the complainant that its request for access falls outside its scope of intervention.
48. In this way, the Litigation Chamber concludes that the defendant did not facilitate
the exercise of the rights of the data subject in accordance with Article 12.2 of the GDPR in
that although there was an electronic communication channel, it was not able
to respond to the complainant’s request or to redirect it to – for example – its
DPO as it should have done in order to guarantee the full effectiveness of Article 12.2 of the
GDPR and therefore, of Article 15 of the GDPR exercised by the complainant. In other words, the
defendant did not offer the complainant responses or processing of his request
of sufficient quality. This finding cannot be altered by the fact that the
DPO’s email address was included, at the time of the facts, in the
defendant’s privacy policy.
49. Furthermore, regarding the communication channel used during the exchanges between the
complainant and the defendant between 25 January 2022 and 13 March 2022, the
Litigation Chamber wishes to point out, for information purposes only and without this constituting
any position on its part that could result in a sanction, that the defendant must, in addition to guaranteeing that the responses given to the complainants via
the Facebook chat are of sufficient quality, ensure that this communication channel
meets the appropriate security requirements as defined in Articles 5.1.f), 24, 25
and 32 of the GDPR. 50. On the other hand, and as already mentioned above (see point 29), it notes that the
complainant exercised his right of access on 25 January 2022 – a request to which the
defendant responded in a useful manner on 28 March 2023, i.e. during the course of these proceedings.
51. The complainant insists in his submissions on the fact that his request for access was responded to more than 14 months late.
52. The defendant, without denying the delay with which it responded to the complainant’s request for
access, notes that sanctions could not be imposed on it on the sole basis of the
breach of Article 12.3 of the GDPR.
53. In this regard, and without ignoring the judgments of the Court of Markets
2019/AR/1006 of 9 October 2023 and 2019/AR/1234 of 23 October 2023, the
Contentious Chamber nevertheless emphasizes that the exercise of the rights of data subjects
can only be truly effective if the data controller is required to
respond to the exercise of such rights within a reasonable period, which has been set by the
European legislator at one month, with certain exceptions. To assert the
opposite would amount to allowing the data controller not to react or to react too late
in such a way that the exercise of the right by the data subject would prove to be
totally futile. Decision on the merits 107/2024 — 11/21
Article 12 of the GDPR is, like the rights of the data subject enshrined
in Chapter III of the GDPR, also explicitly sanctioned by Article 83.5 b) of the GDPR 14
without Article 12.3. being excluded. It is useful to specify that Article 83.5.b) of the GDPR
dedicates the higher level of sanctions referred to in Article 83 of the same Regulation.
54. The Litigation Chamber notes that the violation of Articles 12.3 and 15 of the GDPR is
undeniable, in that the defendant does not dispute having responded to the complainant's request for access
14 months late. By responding to the complainant’s request for access
well beyond the deadline set by Article 12.3 of the GDPR, the defendant was guilty
of a continuous violation of the complainant’s right of access for 14 months.
55. By way of conclusion, the Litigation Chamber concludes that the defendant violated
Articles 12.2, 12.3 and 15 of the GDPR in that the complainant only obtained a
response to his request for access after more than 14 months’ delay from the defendant, in particular
because it did not facilitate the exercise of the complainant’s right of access. Furthermore, the
Litigation Chamber points out that this response was granted to the complainant in the context
of the exchange of submissions between the parties in the present proceedings, without which the
violation of the complainant’s rights would likely have continued. However, the finding relating to
Articles 12.2 and 12.3 is not taken into account in determining the penalty
it being understood that these two provisions were not included in the letter by which the
Litigation Chamber invited the parties to conclude (see point 10).
II.2. As for the other complaints
56. The Litigation Chamber notes the parties’ arguments regarding the additional complaints
relating to Articles 5, 6 and 7.1 of the GDPR.
57. However, and as recalled by the defendant in its submissions, the
Litigation Chamber limited the scope of the discussions to Article 15 of the GDPR alone. Accordingly, it does not
appear appropriate to examine these additional complaints, it being understood that the
finding of the truth of one of them cannot serve as a basis for imposing
sanctions against the defendant.
III. Corrective measures and sanctions
III.1. Range of sanctions
58. Under Article 100 of the LCA, the Litigation Chamber has the power to:
1° dismiss the complaint without further action;
14Group 29, Guidelines on transparency within the meaning of Regulation (EU) 2016/679, WP 260, points 30-32 and 48. Decision on the substance 107/2024 — 12/21
2° order that there be no case to answer;
3° order a suspension of the decision;
4° propose a settlement;
5° issue warnings and reprimands;
6° order compliance with the data subject's requests to exercise their rights
;
7° order that the data subject be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of the processing;
9° order the processing to be brought into compliance;
10° order the rectification, restriction or erasure of the data and the notification of
these to the recipients of the data;
11° order the withdrawal of the accreditation of certification bodies;
12° impose periodic penalty payments;
13° impose administrative fines;
14° order the suspension of cross-border data flows to another State or an
international body;
15° forward the file to the Public Prosecutor's Office of the Brussels
King's Prosecutor, who shall inform him of the follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the
Data Protection Authority.
59. As for the administrative fine that may be imposed in implementation of Article 83 of the GDPR
and Articles 100, 13° and 101 LCA, Article 83 of the GDPR provides:
"1. Each supervisory authority shall ensure that administrative fines imposed under
this Article for infringements of this Regulation, referred to in paragraphs 4,
5 and 6, are, in each case, effective, proportionate and dissuasive;
2. Depending on the specific characteristics of each case, administrative fines shall
be imposed in addition to or instead of the measures referred to in Article 58, paragraph 2,
points (a) to (h), and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following:
(a) the nature, gravity and duration of the breach, taking into account the nature, scope or
purpose of the processing concerned, as well as the number of data subjects affected
and the level of damage suffered by them;
(b) whether the breach was committed intentionally or negligently;
(c) any measures taken by the controller or processor to mitigate the
damage suffered by data subjects; Decision on the merits 107/2024 — 13/21
(d) the degree of responsibility of the controller or processor, taking into account
the technical and organisational measures implemented by them pursuant to
Articles 25 and 32;
(e) any previous relevant breach by the controller or
processor;
(f) the degree of cooperation established with the supervisory authority to remedy the
breach and mitigate its possible negative effects;
(g) the categories of personal data concerned by the breach;
(h) the manner in which the supervisory authority became aware of the breach, in particular whether and
to what extent the controller or processor has notified the breach;
(i) where measures referred to in Article 58(2) have
previously been ordered against the controller or processor concerned for the same
subject matter, compliance with those measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved pursuant to Article 42; and
(k) any other aggravating or mitigating circumstances applicable to the
circumstances of the case, such as financial benefits obtained or losses avoided,
directly or indirectly, as a result of the infringement”.
III.2. As to the imposition of an administrative fine
60. Article 58.2 of the GDPR grants supervisory authorities the power to take one or
more corrective measures against controllers. In accordance with
Article 58.2.i) of the GDPR, a supervisory authority may, depending on the
circumstances of each case, impose an administrative fine in addition to or instead of the
aforementioned corrective measures.
61. In this regard, Article 83.1 of the GDPR requires that a fine imposed by an
authority must, in each case, be effective, proportionate and dissuasive. Article 83.2 of the GDPR sets out a
number of criteria that must be duly taken into account in a specific case. In
addition, the highest fine applies in accordance with Article 83.5.b) of the GDPR. Indeed, in the event of a violation of the rights of the data subject (in this case, the right of access
guaranteed by Article 15 GDPR), the Litigation Chamber may impose an administrative
fine of up to EUR 20,000,000 or, in the case of a company, up to 4%
of its total worldwide annual turnover for the previous financial year, whichever is the highest. Decision on the merits 107/2024 — 14/21
62. A penalty imposed by the DPA in the form of a fine must be adequately justified,
the size of this penalty must, on the one hand, take into account the circumstances of the
individual case and, on the other hand, be proportionate to the infringement found as well as to the
status of the perpetrator of the infringement and his financial situation. However, no legal
provision requires the Contentious Chamber to rule on all the criteria provided for in
the aforementioned Article 83 of the GDPR, nor to indicate the numerical elements relating to the method of
determining the amount of the penalty imposed. The justification of the fine on the basis
of a detailed summary of each element taken into consideration for the determination of
the fine is therefore optional, but was carried out in this case.
63. In the present case, the administrative fine is justified by the fact that the defendant, whose turnover
is established at (…EUR) for the year 2023, violated Article 15 of the GDPR for a
period of 14 months. This violation was caused by the failure of two employees of the
defendant to properly handle the request for access made by the complainant,
thus denoting serious negligence – and this despite the fact that the processing of personal
data constitutes one of its core activities. Furthermore, the Litigation
Chamber takes into account the fact that although the defendant eventually gave a satisfactory
response to the complainant’s request for access, this response took effect during
the exchange of submissions between the parties. These elements – further developed below –
justify imposing an administrative fine, rather than a lower penalty such
as a warning or reprimand.
III.2.1. Calculation of the basic amount
64. Nature, gravity and duration of the violation (Article 83, paragraph 2, point a) of the GDPR) –
First, the Litigation Chamber notes that the defendant infringed the complainant’s right
of access. In addition to Article 15 of the GDPR, the right of access is also included in Article
8.2 of the European Charter of Fundamental Rights and therefore constitutes one of the essential
elements of the fundamental right to data protection; in other words, this is
the "gateway" that strengthens the control of the persons concerned over the data
15
In this sense, the decision of the French Council of State, 10th-9th joint chambers, 14/05/2024, 472221, states that "8. It follows
from the preceding provisions that, in the event that the legality of an administrative decision is based on taking into account
a certain number of considerations, compliance with the requirement of motivation that they provide for does not lead its author to
having to state only those on which the decision he has taken is based. Furthermore, there is no provision that the
restricted formation of the CNIL should provide an explanation of the amount of the penalties it imposes. It follows that
the restricted formation of the CNIL, which neither had to rule on all the criteria provided for in Article 83 of the aforementioned GDPR, nor to indicate the figures relating to the method of determining the amount of the penalty imposed, but in particular
based itself precisely on the criteria provided for in a and k of 2 of Article 83 of the GDPR as well as on the business model of the applicant company and the weight it represents in its economic sector, did not provide insufficient reasons for its decision",
and "11. The restricted formation of the CNIL, in imposing a fine of 3 million euros, complied with the rules set out in
Article 20 of the Law of 6 January 1978, cited in point 9. Furthermore, there is no provision, as stated in point 8, that
it should provide an explanation of the amount of the penalties it imposes. Consequently, the restricted formation of the
CNIL did not disregard the principle of legality of offences and penalties". Decision on the merits 107/2024 — 15/21
concerning and allows the exercise of other rights conferred on the person concerned by the
GDPR, such as the right to object and the right to erasure.
65. The effectiveness of the right of access is guaranteed by the terms set out in Article 12 of the GDPR,
which is intrinsically linked to Article 15 of the GDPR, among others. Therefore, by
giving satisfactory response to the complainant’s request for access only 14 months after the
date on which the complainant exercised his right of access, the defendant was guilty of a
continuous violation of Article 15 of the GDPR for more than 14 months.
66. Secondly, concerning the seriousness of the violation, the Litigation Chamber notes
first of all that the defendant is a telecommunications company, and that the
processing of personal data therefore constitutes one of its core activities.
Also, and as set out in the paragraphs above, there was a continuous violation of Article 15 of the GDPR for 14 months, which is the gateway to the exercise of other rights.
67. Thirdly, as for the duration of the violation, it continued for more than 14 months.
Article 12.3 of the GDPR provides that the controller must respond “as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the
complexity and number of requests.” In this regard, the Disputes Chamber specifies,
on the one hand, that the aforementioned extension of the deadline should only be used
exceptionally – which could otherwise indicate the need for the data controller to
develop its procedures for handling requests – and, on the other hand, that
the data controller must respond to a request for access within a period of less
than one month if it is able to do so.
68. Deliberate or negligent nature of the violation (Article 83, paragraph 2, point b) of the
GDPR) – A distinction is made between a violation caused by negligence and a violation caused
deliberately. The deliberate nature of a violation implies the meeting of two conditions,
namely knowledge of a violation as well as the will to cause it. Negligence is
defined, a contrario, by the absence of intentionality in the commission of the offence,
although the principle of diligence was not respected.
69. The Litigation Chamber specifies that a high threshold is set to consider a violation
as being deliberate. In addition, negligence can also be assessed by
degrees.
70. In the present case, there is no intentionality in the breach committed under Article 15 of
the GDPR. However, in view of the financial and human capacities of the defendant, as
well as the fact that the processing of personal data constitutes one of the
core activities of the defendant, the Litigation Chamber considers that the defendant committed serious negligence. This is all the more true since
the inability to know how to respond to a request for access issued by the complainant was
manifested among two employees of the defendant.
71. Categories of personal data concerned by the violation (Article 83,
paragraph 2, point g) of the GDPR) – It does not appear from the documents in the case file that
any data other than identification data were processed by the controller.
72. Classification of the seriousness of the violation and determination of the
appropriate starting amount –
The assessment of the above elements – namely the nature, seriousness and
duration of the violation, as well as the deliberate or negligent nature of the
violation and the categories of personal data concerned – makes it possible to determine the
degree of seriousness of the violation as a whole. According to this assessment, the seriousness of the
violation can be described as “low”, “medium” or “high”.
73. In this case, it should first be noted that the violation of Article 15 is among the
violations listed in Article 83.5 of the GDPR, thus falling under the higher level of
Article 83 of the same Regulation. It should also be noted that the processing of
personal data that motivated the complainant to exercise his right of access
constitutes one of the core activities of the defendant. In addition, the
complainant received a response more than 14 months after exercising his right of access, and this
during the exchange of submissions in the present procedure. However, it does not emerge from the
case that data other than identification data were processed by the
defendant. Furthermore, the violation concerns only the person of the complainant. In
addition, the damage suffered by the latter is low, given that he already had
part of the answers he requested from the defendant and that he did not have the right to access
other information requested, namely the identity of the employees who processed his
personal data. In any event, the violation committed by the defendant
is the result of gross negligence on its part.
74. In light of the elements set out above, the Litigation Chamber concludes that the
violation found is of low gravity. Therefore, for the calculation of the subsequent amount, a starting amount of between 0% and 10% of the maximum legal amount provided for
in Article 83.5 of the GDPR will be set.
75. The turnover of the defendant amounting to (…) EUR for the year 2023, the Litigation
Chamber establishes as the basic calculation amount the sum of EUR 100,000. Decision on the merits 107/2024 — 17/21
III.2.2. Mitigating and aggravating circumstances
76. Measures taken to mitigate the damage suffered by the complainant (Article 83.2.c) of the GDPR) –
As regards the measures taken to mitigate the damage suffered by the complainant, the
Litigation Chamber acknowledges that the defendant eventually provided a complete and satisfactory
response to the complainant. However, it cannot be ignored that this
response was provided after the parties had been invited to submit their
submissions.
77. Degree of responsibility of the defendant taking into account the technical and
organisational measures implemented in accordance with Articles 25 (Article 83.2.d) of the
GDPR) – The Litigation Chamber, assessing the level of responsibility of the
defendant, notes that the latter is fully responsible for the management of the requests of
data subjects that it receives, including the right of access.
78. This responsibility encompasses various aspects, in particular the efficiency of the
execution of requests, the definition of specific codes to respond appropriately to
requests made under Articles 15 to 22 of the GDPR, as well as the understanding and
implementation of clear and effective procedures by all staff, from
managers to internal staff.
79. The Litigation Chamber notes that the defendant had at the time of the facts a
point of contact with its data protection officer. This did not, however, prevent the complainant’s request for access from being properly followed up more than 14
months after it was made, particularly because the defendant did not forward the complainant’s request to its DPO, and even wrongly
declared to the complainant that it did not have a DPO contact point.
80. Previous violations committed by the data controller (Article 83.2.e) of the
GDPR) – The Litigation Chamber did not find any violation of Article 15 of the GDPR
previously committed by the defendant, or any other violation that would be
relevant in this case. This criterion is then deemed neutral, it being understood that compliance with the
standards of the GDPR is the norm.
81. Degree of cooperation with the supervisory authority (Article 83.2.f) of the GDPR) – The Litigation Chamber
notes that the defendant has been fully cooperative towards it. This criterion is deemed to be neutral, since it is a general duty established by Article
31 of the GDPR.
82. Manner in which the supervisory authority became aware of the violation (Article
83.2.h) of the GDPR) – The Litigation Chamber became aware of the violation
through a complaint. This criterion is deemed to be neutral. Decision on the merits 107/2024 — 18/21
83. Any other aggravating or mitigating circumstance (Art. 83.2.k) of the GDPR) – No other aggravating or mitigating circumstance
emerges from the present case.
III.2.3. The effective, disproportionate and dissuasive nature of the fine
84. A fine is considered effective if it achieves its objectives, such as restoring
compliance with the rules and sanctioning unlawful conduct. In this case, the fine aims to sanction
the negligent and serious conduct of the defendant. In addition, it aims to deter
other similar violations in the future. The prolonged violation of the
complainant’s fundamental rights, despite the complainant’s request for access and multiple reminders, demonstrates the
need for a firm response from the Litigation Chamber. In this case, the
defendant, with a turnover of more than (… euros), can bear a fine
of EUR 100,000 (less than 0.01% of the turnover) without compromising its
economic viability. The Litigation Chamber sought a dissuasive final fine amount, in order to prevent the defendant from repeating the violation of the GDPR rules.
In addition, it also seeks to deter other companies from committing
similar violations.
III.2.4. Reaction of the defendant to the sanction form
85. As a preliminary point, the defendant highlights the circumstances of the present case. It states
that this is a one-off and isolated infringement, but not an infringement that would be
systemic in nature. This violation would have its source not in deliberate intent or
serious negligence, but in simple negligence. It adds that the number of
persons affected by the violation is limited to the single complainant, the latter having suffered
extremely limited harm – this is justified in particular by the fact that the
violation of the GDPR committed concerns only simple identification data. In this regard, the defendant notes that although the right of access constitutes the "gateway" to the exercise of the other rights conferred by the GDPR, the complainant did not exercise these same rights after obtaining a response to his request for access on 28 March 2023. In any event, the defendant notes that it has corrected the violation it committed, and has implemented additional internal measures, including training in its customer service to enable employees working there to better recognise access requests, but also to better process them. Finally, the defendant argues that it receives an average of 150 requests for access per year, and that, consequently, it is possible that requests are answered beyond the deadlines provided for in Article 12.3 of the GDPR due to the occurrence of human errors. 86. The defendant contests (i) the choice to impose an administrative fine and (ii)
its amount. Decision on the merits 107/2024 — 19/21
(i) Concerning the choice to impose an administrative fine
87. On the one hand, the defendant recalls the judgments of the Market Court by which the
latter held that the sole violation of the time limits established by Articles 12.3 and 12.4 of the GDPR
cannot justify the imposition of a sanction.
88. On the other hand, the defendant denounces a disproportion between the choice to impose an
administrative fine and the facts presented above. The defendant states that
the Litigation Chamber has a wide range of sanctions at its disposal. However, it considers
that the Litigation Chamber would not justify the reason why the imposition of an
administrative fine would be necessary in this case, and the reason why other
sanctions, such as a reprimand or warning, would not be appropriate.
(ii) The amount of the administrative fine
89. In the final analysis, the defendant considers that the amount of the fine is
totally disproportionate to the seriousness of the facts of the case.
III.2.5. Final amount of the fine
90. In light of the defendant’s reaction, the Litigation Chamber decides to maintain
the amount of the fine as communicated to the defendant on 3 July 2024, namely
EUR 100,000.
91. The defendant in fact asserts as new elements only the fact of having adopted
additional measures internally in order to prevent such a violation from
recurring in the future, and the information relating to the number of requests for access that it
receives on average per year (150).
92. First of all, the Litigation Chamber notes that the organisation of adequate
training for staff in order to enable them to better handle requests to exercise
the rights of data subjects is what is expected of a data controller, particularly when
it occupies such a position in the market. Since compliance with the
GDPR is the norm, this element cannot be assessed other than as a
neutral criterion.
93. Furthermore, the Litigation Chamber wishes to emphasise that the processing of personal data is a core activity of the defendant, and that in view of its sector of activity, its size and the number of clients whose personal data the defendant processes, the risks arising from this are all the higher.
Consequently, the defendant must be more vigilant with regard to the protection of personal data, and to adopt robust procedures in order to guarantee compliance with the Decision on the merits 107/2024 — 21/21
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, with the Market Court (Brussels Court of Appeal), with the Data Protection Authority as the defendant.
Such an appeal may be filed by means of an interlocutory application which must contain the
18
information listed in Article 1034ter of the Judicial Code. The interlocutory application must be
19
filed at the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or
via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code).
(sé). Hielke H IJMANS
President of the Litigation Chamber
18The application must contain, under penalty of nullity:
1° the indication of the day, month and year;
2° the surname, first name, address of the applicant, as well as, where applicable, his/her qualifications and his/her national register number or
company number;
3° the surname, first name, address and, where applicable, the qualifications of the person to be summoned;
4° the subject and summary of the grounds of the application;
5° the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
19
The application, accompanied by its annex, is sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.
